Re: [radext] Review of draft-cheng-behave-cgn-cfg-radius-ext

<lionel.morand@orange.com> Tue, 04 March 2014 13:45 UTC

Return-Path: <lionel.morand@orange.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B7FA1A0176 for <radext@ietfa.amsl.com>; Tue, 4 Mar 2014 05:45:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.701
X-Spam-Level: ***
X-Spam-Status: No, score=3.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, GB_SUMOF=5, J_CHICKENPOX_74=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xmPZIjmscqXA for <radext@ietfa.amsl.com>; Tue, 4 Mar 2014 05:45:18 -0800 (PST)
Received: from relais-inet.francetelecom.com (relais-ias244.francetelecom.com [80.12.204.244]) by ietfa.amsl.com (Postfix) with ESMTP id F39B91A0170 for <radext@ietf.org>; Tue, 4 Mar 2014 05:45:17 -0800 (PST)
Received: from omfeda06.si.francetelecom.fr (unknown [xx.xx.xx.199]) by omfeda14.si.francetelecom.fr (ESMTP service) with ESMTP id E73B42AC704; Tue, 4 Mar 2014 14:45:13 +0100 (CET)
Received: from Exchangemail-eme1.itn.ftgroup (unknown [10.114.1.183]) by omfeda06.si.francetelecom.fr (ESMTP service) with ESMTP id CA9D124C0EE; Tue, 4 Mar 2014 14:45:13 +0100 (CET)
Received: from PEXCVZYM13.corporate.adroot.infra.ftgroup ([fe80::cc7e:e40b:42ef:164e]) by PEXCVZYH02.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0174.001; Tue, 4 Mar 2014 14:45:13 +0100
From: <lionel.morand@orange.com>
To: Alan DeKok <aland@deployingradius.com>, "radext@ietf.org" <radext@ietf.org>
Thread-Topic: [radext] Review of draft-cheng-behave-cgn-cfg-radius-ext
Thread-Index: AQHPN48xEhgtIM4AIE6ZueLablyDkZrQv75Q
Date: Tue, 4 Mar 2014 13:45:12 +0000
Message-ID: <30324_1393940713_5315D8E9_30324_2050_1_6B7134B31289DC4FAF731D844122B36E4DF2BC@PEXCVZYM13.corporate.adroot.infra.ftgroup>
References: <5315A1E1.2040405@deployingradius.com>
In-Reply-To: <5315A1E1.2040405@deployingradius.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.197.38.3]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-PMX-Version: 6.0.3.2322014, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2014.3.4.80315
Archived-At: http://mailarchive.ietf.org/arch/msg/radext/jiI_0aloP7ajMSqPwxrNR6Db9cw
Subject: Re: [radext] Review of draft-cheng-behave-cgn-cfg-radius-ext
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 13:45:20 -0000

The Port-Session-Limit Attribute is defined as follow:

   This attribute is of type complex [RFC6158] and specifies the limit
   of TCP ports, or UDP ports, or the sum of the two, or ICMP
   identifiers, or the sum of the three, which is configured on a device
   supporting port ranges corresponding to a specific subscriber.

Isn't it the same purpose than the Port-Limit defined in RFC 2865?

Port-Limit

      This Attribute sets the maximum number of ports to be provided to
      the user by the NAS.  This Attribute MAY be sent by the server to
      the client in an Access-Accept packet.  It is intended for use in
      conjunction with Multilink PPP [12] or similar uses.  It MAY also
      be sent by the NAS to the server as a hint that that many ports
      are desired for use, but the server is not required to honor the
      hint.

By the way, I share the comment on Alan about avoiding polymorphic attributes and recommend the use of TLV.
I guess that two different TLV-types will have to be defined, one for external/public address+port (NAT assigned) and the other for internal/private address+port, and both TLV consisting in two sub-attributes, one in the format of "Framed-IP-address" and one ine the format of "Port".

Lionel


-----Message d'origine-----
De : radext [mailto:radext-bounces@ietf.org] De la part de Alan DeKok
Envoyé : mardi 4 mars 2014 10:50
À : radext@ietf.org
Objet : [radext] Review of draft-cheng-behave-cgn-cfg-radius-ext

  This is a quick review of the document prior to RADEXT WG meeting.


   This document proposes three new RADIUS attributes as RADIUS
   protocol's extensions, and they are used for separate purposes as
   follows:

  Any draft is a RADIUS protocol extension.  I'd suggest changing this
text to:

   This document proposes three new attributes as follows:


  The following paragraphs could be re-organized.  They currently give a
description first, followed by the attribute name.  The text also seems
redundant:

   The session limit is carried by a new RADIUS attribute ...

  Yes, most drafts define a new attribute.  I would just say:

  o Port-Session-Limit

    Sent in Access-Accept or CoA-Request.  Limits the of total number of
    TCP/UDP ports and/or ICMP identifiers which a subscriber can use.

  i.e. give the name, which packets it can occur in, and a short
description of its meaning.  The later sections will expand on these
descriptions, so there's no need to give complicated definitions here.


     o  Session Limit - This is the maximum number of TCP ports, or UDP

  Is this the same as "Port-Session-Limit" above?  If so, I suggest
using the same name.

  Also, all authorization attributes in RADIUS are for a particular
session.  So there's no need to call them "Session" limits.  By
definition, they're for one session, and only one session.


      [Discussion: should these attributes be allocated from the
      extended RADIUS attribute code space?]

  I don't think it matters.  They could be allocated from the standard
space.


3.1 Port-Session-Limit

   This attribute is of type complex [RFC6158] ...

  There is no reason to make these attributes type "complex".  Everyone
would be better served by using TLVs, as defined in RFC 6929.



3.2 Port-Session-Range

   ...
   The port range follows the encoding specified in [RFC6431];

  RFC 6431 defines a data structure of 4 fields.  This attribute re-uses
that, but inserts it in the middle of other complex fields.  So it does
not appear to follow the requirements to be an "opaque data type" as
given in RFC 6158 Section A.1.3.


3.3.  Port-Forwarding-Map Attribute

   ... In addition, the attribute may contain a
   32-bit IPv4 address or a 128-bit IPv6 address, respectively, as their
   respective NAT mappings internal IP address.

  This definition violates RFC 6158 Section 3.4, which prohibits
polymorphic attributes.


7.2.  Name Spaces

   This document establishes a new name space for Session Type (see
   Section 3.1 for the initial reservation of values.  The allocation of
   future values is according to RFC Required policy [RFC5226]

  I don't think any previous RADIUS specification defined an IANA name
space for sub-fields of an attribute.  All of the existing enumerated
types are of data type "integer".


  Over all, the goal of the document seems reasonable.  But the encoding
of the attributes violates most of RFC 6158, without giving any reason
as to why.  Implementing it as-is would impose undue burden on implementors.

  I suggest using TLVs instead of these complex data types.  That would
avoid the need for polymorphic attributes, too.

  Alan DeKok.

_______________________________________________
radext mailing list
radext@ietf.org
https://www.ietf.org/mailman/listinfo/radext

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.